On distributed monitoring of asynchronous 

systems 



Volkcr Diekert 1 and Anca Muscholl 2 

1 Universitat Stuttgart, FMI, Germany 
2 LaBRI, Univ. of Bordeaux, France 

1 Introduction 

Distributed systems are notoriously difficult to understand and analyze in or- 
der to assert their correction w.r.t. given properties. They often exhibit a huge 
number of different behaviors, as soon as the active entities (peers, agents, pro- 
cesses, . . . ) behave in an asynchronous manner. Already the modelization of such 
systems is a non-trivial task, let alone their formal verification. 

Several automata-based distributed models have been proposed and studied 
over the past twenty years, capturing various aspects of distributed behavior. 
Depending on the motivation, such models fall into two large categories. In the 
first one we find rather simple models, expressing basic synchronization mecha- 
nisms, like Petri nets or communicating automata. In the second category we see 
more sophisticated models, conceived for supporting practical system design, like 
statecharts or I/O automata. It is clear that being able to develop automated 
verification techniques requires a good understanding of the simpler models, in 
particular since more complex ones are often built as a combination of basic 
models. 

The purpose of this paper is to discuss the problem of distributed monitoring 
on a simple model of finite-state distributed automata based on shared actions, 
called asynchronous automata. Monitoring is a question related to runtime veri- 
fication: assume that we have to check a property L against an unknown or very 
complex system A, so that classical static analysis is not possible. Therefore 
instead of model-checking a monitor is used, that checks the property on the 
underlying system at runtime. The question is which properties can be checked 
in this way, that is, which properties L are monitorable. A classical example 
for monitorable properties are safety properties, like "no alarm is raised" . A 
monitor for a property L is an automaton M. l that after each finite execution 
tells whether (1) every possible extension of the execution is in L, or (2) every 
possible extension is in the complement of L, or neither (1) nor (2) holds. The 
notion of monitorable properties has been proposed by Pnueli and Zaks [15 , 
and the theory has been extended to various kinds of systems, for instance to 
probabilistic systems |3ll0j or real-time systems |H2j . 

We are interested here in monitoring distributed systems modelled as asyn- 
chronous automata. It is natural to require that monitors should be of the same 
kind as the underlying system, so we consider here distributed monitoring. A dis- 
tributed monitor does not have a global view of the system, therefore we propose 



the notion of locally monitorable trace language. Our main result shows that if 
the distributed alphabet of actions is connected and if L is a set of ^-infinite 
traces (for some subset of processes r) such that both L and its complement L° 
are countable unions of locally safety languages, then L is locally monitorable. 
We also show that over F-infinite traces, recognizable countable unions of locally 
safety languages are precisely the complements of deterministic languages. 

2 Preliminaries 

The idea of describing concurrency by a fixed independence relation on a given 
set of actions SS goes back to the late seventies, to Mazurkiewicz [12] and 
Keller (see also [6]). One can start with a distributed action alphabet (SS, dom) 
on a finite set Proc of processes, where dom : SS — > (2 Proc \ 0) is a location 
function. The location dom(a) of action a <E SS comprises all processes that 
need to synchronize in order to perform this action. It defines in a natural way 
an independence relation I C SS x SS by letting (a, b) € I if and only if 
dom(a) H dom(b) = 0. 

The execution order of two independent actions (a, b) € I is irrelevant, they 
can be executed as a, b, or b, a - or even concurrently More generally, we can 
consider the congruence ~/ on SS* generated by /. An equivalence class [w]i of 
~j is called a (finite) Mazurkiewicz trace, and it can be also viewed as labeled 
pomsct t = (V,<,\) of a special kind: if w = oq ■ ■ ■ a n then the vertex set 
is V = {0, ...,n}, the labeling function is X(i) — and < =({(«, j) | i < 
j, (ai,aj) I})* is the partial order. The word w is a linearization of t defined 
as above, i.e., a total order compatible with the partial order of t. 

Infinite traces can be defined is a similar way from uj- words. Finite and 
infinite traces are also called real traces, and the set of real traces is written 
R(SS,I) (or simply R when SS,I are clear from the context). A trace t is a 
prefix of a trace t' (denotes as t < t!) if t is isomorphic to a downwards-closed 
subset of t' . The set of prefixes of t is denoted prefit). If L C R then we denote 
by Lin(L) C SS 00 the set of linearizations of traces from L. 

A language K C SS°° is called trace-closed if K = Lin(L) for some LCE. 
Whenever convenient, we talk about trace languages L C R or trace-closed word 
languages if C S'S' 00 in equivalent terms. A language L C R is recognizable if 
Lin(L) C S'S* 00 is a regular language of finite and infinite words. 

Linear temporal properties like safety and liveness |14) can be translated 
into topological properties, as closed and dense sets in the Cantor topology. For 
real traces, these notions generalize smoothly to the Scott topology, by replacing 
word prefixes by trace prefixes. The Scott topology corresponds to a global view 
in traces, where one needs to reason on global configurations, i.e., configurations 
involving several processes. However, in the setting of monitoring that we discuss 
here, such a global view is not available. Therefore we use here local safety as 
basic notion, as introduced in [J] and explained in the following. 

A trace t = (V, <, A) is called prime if it is finite and has a unique maximal 
element. That is, | max(t)| = 1, where max(t) is the set of maximal elements of 
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t w.r.t. the partial order <. The set of prime traces in R is denoted P(R). The 
set of prime prefixes of elements of L C R is denoted P(L). 

Definition 1. Let LCI. 

1. L is called prime-open if it is of the form lJ{pR | p € U} for some U C P. 
Complements of prime- open sets are called prime-closed. 

2. L is the intersection of all prime-closed sets containing L (and denoted as 
prime-closure of L ). Note that L is prime-closed. 

3. A prime-closed, recognizable language L C R is called a locally safety lan- 
guage. 

Remark 1. 1. Every prime-open set is also Scott-open, and prime-open sets 
are closed under union, but not under intersection. As an example consider 
aS, n MR which is not prime-open for (a, b) 6 /. 
2. A first-order locally safety language L C R is a prime-closed set such that 
Lin(L) is a first-order language. It is known from [4] that first-order locally 
safety languages are characterized by formulas of the form Gtp, with ip a 
past formula in a local variant of LTL called LocTL. 

We end this section by introducing our model for distributed automata. An 
asynchronous automaton A = ({S a ) a£ p roc , Sj„, (S a ) ae ss) is given by 

— for every process a a finite set S a of (local) states, 

— the initial state s in <E Yl aeProc S a , 

— for every action a € SS a transition relation S a C {Y[ a edom{a) ^q) 2 on tuples 
of states of processes in dom(a) . 

For convenience, we abbreviate a tuple (s Q ) Qe p of local states by sp, where 
P C Proc. We also denote riaeProe as global states and JlaeP as ^P- 

An asynchronous automaton can be seen as a sequential automaton with the 
state set S = l\ aeProc S a and transitions s s' if (a<j om ( ), s' dom(a) ) G 8 a , and 

spr OC \<iom(a) = s p ro c\(i m(a)- Bv we denote the set of words labeling runs 

of this sequential automaton that start from the initial state. It can be easily 
noted that C{A) is trace-closed. The automaton is deterministic if each S a is a 
(partial) function. 

Example 1. Let us consider the asynchronous automaton A given by S p — {0}, 
S q = S r = {0, 1}, and transition function S a (s p ,s q ) = (s p ,-is q ) if s q = 1 (unde- 
fined otherwise), Sd(s r ) — ^s r if s r — 1 (undefined otherwise), Sb(s q ,s r ) = (1, 1) 
if s q A s r = (undefined otherwise) and 5 c (s p ) = s p . Starting with sq = (0, 0, 0), 
an accepting run of A checks that between any two successive 6-events, there is 
either an oorarf (or both), and there is a 6-event before all a and d. 

Since the notion of a trace was formulated without a reference to an accepting 
device, it is natural to ask if the model of asynchronous automata is powerful 
enough for capturing the notion of regularity. Zielonka's theorem below says that 
this is indeed the case, hence these automata are a right model for the simple 
view of concurrency captured by Mazurkiewicz traces. 
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Fig. 1. The pomset associated with the trace t = [cbadcbadb], with dom(a) = {p, q}, 
dom(b) = {q,r}, dom(c) = {p}, dom(d) — {r}. 

Theorem 1. JT^ Let dom : SS ->■ (2 Proc \ {0}) be a distribution of letters. If a 
language L C SS* is regular and trace-closed then there is a deterministic asyn- 
chronous automaton accepting L (of size exponential in the number of processes 
and polynomial in the size of the minimal automaton for L, see f^). 

3 Safety languages 

A set of traces C C Mis called coherent if C C prefit) for some t £ R. This means 
that UC £ R exists, and it is a prefix of t. By L c we denote the complement 
K \ L of L. Recall that P(£) is the set of prime prefixes of traces inlCM. 

We use in our characterizations below a basic property of automata on traces, 
which is for instance satisfied by (runs of) asynchronous automata, called forward 
diamond property. A set K C SS* satisfies the forward diamond property if the 
following holds: 

If ua € K and ub £ K, then uab € K, for every u £ SS* and (a, b) £ I. 
Lemma 1. For L CM. we have 

L = {UC | C C P(L) and C is coherent] . 
We have L =K if and only ifP(L) = P(K). 

Proof. Let X = {UC \ C C P(L) and C is coherent}. By definition, X c = UR 
with U = P \ P(L), thus X is prime-closed (and contains L). Let K D L be 
prime-closed, thus K c = VTR with V CP. Consider some coherent set C C P(L), 
and assume that UC £ vR for some u £ V. But then u <E P(L), thus if c n L ^ 0, 
a contradiction. So X C if, which shows that L = X. 

Lemma 2. If L C R is recognizable, then the prime closure L is recognizable, 
too. Moreover, on input (SS, dom) and (sequential) Biichi automaton B such 
that L = C(B) is trace-closed, we can compute an exponential- size, deterministic 
asynchronous automaton A accepting L , such that all states of A are final. 
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Proof. Given LCR recognizable, we have that P(L) is recognizable, too. Then it 
is easy to see that L is recognizable, by using for instance monadic second-order 
logic over traces. 

Let us consider the complexity of the construction of a deterministic asyn- 
chronous automaton for L in more detail. We assume that the input L is given 
by a (sequential) Biichi automaton B. We first determinize B and get a deter- 
ministic (say Rabin) automaton B' for L. From B' we can easily construct a DFA 
accepting P(L): we just need to store the set of maximal processes in the control 
state. The resulting DFA is exponential in both B and Proc. By applying the 
construction cited in Thm.[T]we obtain a deterministic asynchronous automaton 
A for P(L) which is still exponential in B and Proc. Using classical timestamping 
we may assume that each local state reached by the maximal processes of a prime 
trace contains the complete information about the global state of A reached on 
that prime trace - the size of the deterministic asynchronous automaton A' thus 
obtained remains exponential. It remains to construct the automaton accepting 
L . Recall that L contains precisely those traces where all prime prefixes belong 
to P(L). Thus, it suffices to take A' and forbid transitions that produce bad 
local states of A' , that is, local states that are non-final viewed as global states 
of A. On finite or infinite traces, the automaton A' accepts precisely L . By 
construction, all its reachable states are final. 

Proposition 1. The following are equivalent characterizations for L C R; 

1. L is a locally- safety language. 

2. K = Lin(L) C SS°° is a regular, prefix-closed language such that K D SS 1 * 1 
is a safety language, and K l~l SS* satisfies the forward diamond condition. 

3. L is accepted by a deterministic asynchronous automaton where all reachable 
states are final. 

Proof. The implications (1) (2) and (3) (1) are immediate. For (2) =>■ (3) 
let us assume that K = Lin(L) is regular, prefix-closed and satisfies the two 
additional conditions in the statement. Since K n SS* is prefix-closed, trace- 
closed and satisfies the forward diamond property, there exists a deterministic 
asynchronous automaton B recognizing K n SS* (equivalently, the set of finite 
traces in L) such that all reachable states are final [TBJ- Since K is assumed to 
be prefix-closed and K n SS U is a safety language, we obtain that the automaton 
B accepts precisely L = L over E. 

Example 2. Assume that SS = {a,b,c} with dom(a) = {a}, dom(b) — {/3} and 
dom(c) = {a, (3}. The trace language "no two consecutive c's" is a locally safety 
language, and it can be recognized by an asynchronous automaton where both 
processes remember their last action, and do not allow two consecutive c's. 

The trace language "no a in parallel with a b" is not a locally safety language 
(but it is Scott-closed). 

For first-order languages we have, as usual, also a characterization by tem- 
poral logics: 
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Proposition 2. The following are equivalent characterizations for L C R: 

1. L is a locally- safety language definable in first- order logic. 

2. L is definable by a globally past formula in LocTL. 

3. K — Lin(L) C SS°° is a first-order, prefix-closed language such that KC\SS U 
is a safety language, and K D SS* satisfies the forward diamond property. 

Proof. The equivalence (1) (2) follows from [3], and the implication (1) => (3) 
is immediate. For (3) =>■ (1) it suffices to show that L = L (since we know by [7] 
that L must be first-order). So let t = UC, with C C P(L) coherent. For every 
u G P(L) and every linearization x of u, we have x G K since if is prefix- 
closed. Moreover, if {t,t'} is coherent and K contains all linearizations of t and 
t' , respectively, then by the forward diamond property, if contains some (and 
thus all) linearization(s) of t U t' . This shows the claim for finite traces t. For 
infinite traces it follows from K Pi SS^ being a safety language. 

4 Local monitoring 

Here and in the following we write s < L for a (finite) trace s G R and a language 
L C K if there exists some t £ L with s < t. 

Definition 2. ^4 set i C M is called locally monitorable if for all s G P i/iere 
exists some t G P wii/i (%) s < tR and (2) either tR C L oriICL c . 

Notice that in the definition of locally monitorable sets, the first condition 
says that {s,t} is coherent. So a set L is locally monitorable if for every prime 
trace s there is another prime trace t that is coherent with s and such that after 
t we know that every extension belongs either to L or to its complement L € . 

The following lemma extends a well-known observation from words to traces: 

Lemma 3. Every prime-closed trace language is locally monitorable. In partic- 
ular, every locally- safety (or locally-co-safety) language is locally monitorable. 

Proof. Let L = L and s G P. If sR is not a subset of L, then there exists some 
t = sx G L c . Since L is prime-closed this means that there is some u G P \ F(L) 
with u < t. But then {u, s} is coherent, thus s < uR and uR C L c . 

The next proposition characterizes locally monitorable sets in terms of the 
closure operator defined in the previous section: 

Proposition 3. L C R is locally monitorable if and only if L n L c does not 
contain any non-empty prime-open subset. 

Proof. First, assume by contradiction that L is locally monitorable, but sR C 
L n L c for some s G P. By symmetry in L and L c we may assume that we find 
t G P and s < tR C i. Hence, t £ P(L C ) and thus fM n I 3 =0. But sM n flR ^ 0. 
Contradiction. 

For the other direction let s G P. We may assume (again by symmetry in L 
and L c ) that sRflL ^0. Hence, there is x ^ L with s < x. This implies that 
there is t G P \ P(£) with s < tR. Thus, flR C L c and L is locally monitorable. 
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We state now the main result of this section, which shows that whenever a 
recognizable property over traces is locally monitorable, we can build a monitor 
that is of the same type as the system on which it runs, i.e., an asynchronous 
automaton. 

Theorem 2. Let L C R be recognizable. Then we can decide whether L is locally 
monitorable. Moreover, if L is locally monitorable, then we find a deterministic 
asynchronous finite state monitor for L. 

Proof. By Lemmaj2] there exist deterministic asynchronous automata A, A' 
accepting L and L c , resp., such that all their reachable states are final. 

Let (<5 a )oeSSj (^a)aeSS be the transition functions of A, A', resp. We modify 
the product automaton A x A' to a (deterministic) asynchronous automaton 
C with transition functions (A a ) ae ss : first we add two local states _L Q , T a on 
each process a E Proc. Consider a E S and some trace t on which A reaches 
state s and A' reaches state s'. Note that ta belongs to one of L or L c (or 
both). If A has no a-transition on Sd om (a) then we add A a ((s a , s' a ) a£ dom(a)) = 
{-L a )aedom(a)- If A' has no a-transition on s' dom ^ then we add the transition 
A a {{s a ,s' a ) a( z dom ( a )) = (T a ) aedom ( a y The first case corresponds to taRDL = 
0, the second one to taR n L c = 0. Else, A a ((s a , s' a )dom(a)) is defined as the 
componentwise product of £ a ( s doro(a)) an d &a( s 'dom(a))- Fi na lly> f° r each a E SS 
and each tuple Sdom{a) of states of A x A 1 : if some component of Sd om (a) is -L, 
then all components of A a (s d om(a)) become _L, and symmetrically for T. The 
language L is not locally monitorable if and only if the automaton C has some 
infinite run where no process gets into state T or _L. 

Proposition 4. The following problem is PSPACE-hard: 

— Input: A Biichi automaton B = (Q, S, 5, qo, F) . 

— Question: Is the accepted language C(B) C S u monitorable? 

Proof. The universality problem for non-deterministic finite automata (NFA) is 
one of the well-known PSPACE complete problems. We reduce this problem to 
the problem of monitorability. 

Start with an NFA A — (Q', T, 5', q , F'). We will construct a Biichi automa- 
ton B such that we have C(A) = r* if and only if C(B) C S M is monitorable. 

For this we use a new letter b and we let E = T U {&}. We use three new 
states d, e, / and we let Q — Q' U {d, e, /}. The repeated (or final) states of B 
are defined as F = {e, /}. The initial state is the same as before: go- It remains 
to define S. We keep all arcs from 6' and we add the following new arcs. 

— q — — > d -^-> e e for all q e Q' \ F' and all a € T. 

— e — — » d — — > c? 

— g — > / / for all q E F' and all c£iJ. 

In order to understand the construction, consider what happens if we reach state 
d or state /. Starting in / we accept everything, because we loop in a final state 
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of B. On the other hand starting in d we accept all words except those which 
end in 6" . Starting in d we are nowhere monitorable. 

Now, let w G S* . This can be written as uv where u G T* is the maximal 
prefix without any occurrence of b. 

Assume we have C(A) = r* , then there is path from q a to / labelled by wb 
since reading u leads us to some state in F' . This implies that wbS" C C(B) for 
all w e r*; and C(B) is monitorable. 

On the other hand, if C(A) ^ r* , then there is some word iief' such that 
u leads to states in Q'\F' , only. Thus, reading ub we are necessarily in state d. 
The language C{B) is not monitorable, due to the word ub € X 1 *. 

We have a matching upper bound for Biichi automata in the theorem below. 
Note that the input is a Biichi automaton accepting a trace-closed language, 
therefore we may see the accepted language also as a subset of R. 

Theorem 3. The following problem is PSPACE-complete: 

— Input: A Biichi automaton B — (Q, S, 5, qo, F) and (SS, dom) such that C(B) 
is trace-closed. 

— Question: Is the accepted language C{B) C R locally monitorable? 

Proof. For a subset P C Q let us write £(B, P) for the accepted language of 
B when P is used as a set of initial states. We say that P is good if either 
£(£>, P) = E" or C(B,P) = 0. The predicate whether P is good can be computed 
in PSPACE. For a letter a £ E and P,P' C Q we define another predicate 
Reach(P, P',a), which is defined to be true, if: 

P' = {qeQ\3pe PBtaeF and p q} . 

Note that Reach(P, P' , a) is computable in PSPACE, too. If there is no a e S 
such that Reach({(7o}, P' , a) becomes true for some good P' C Q, then L = 
is not locally monitorable. Thus, we may assume that such P and a exist. If there 
are two letters a and b in different connected components of (S, dom) with this 
property, then L is locally monitorable. Hence we assume in the following that 
there is only one component where such a letter a exist. Indeed, letters occurring 
in some prime traces belong to a single connected component of (£, dom); and 
due to Reach ({g }, P' , a) it is enough to consider monitorability of prime traces 
which belong to the same component as the letter a. Since every such prime 
trace can be made longer such that it ends with this letter a, we fix a in the 
following. 

Now, the language LCRis locally monitorable if and only if for all P C Q 
such that Reach({qo}, P, a) holds, there is some good subset P' such that wc 
have Reach(P, P', a). 

To see this, let L C M be locally monitorable. Consider a subset P such 
that Reach({go}, P, a) holds. This corresponds to some word s such that the 
corresponding trace s — s'a is a prime. Since L is locally monitorable, there 
exists some prime t such that s < tM. and either tR C L or tM. C L c . However, 
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by the assumption above, we may assume that s and t belong to the same 
component. We can make t longer and actually assume s < t and such that 
t = t'a. Choose some representing word w for t. If P' is the subset of states 
we can reach after reading w starting in q we have Reach(P, P', a). The set 
P' is good, because L is trace-closed. Indeed, if tR C L, then wS" C L, hence 
C(B, P') = E". If tR C L c , then C(B, P') = 0. 

For the converse it is clear that the condition is strong enough to ensure local 
monitorability of L. 

The condition to monitor a single language might be an unnecessary restric- 
tion. We can imagine a certain family of properties or languages L\, . . . , L n and 
we content ourselves with a monitor which selects one of these possibilities, even 
if certain L t and Lj do intersect non-trivially for i ^ j. This leads to the following 
definition. 

Definition 3. Let n e N and L\, L n be subsets of R. We say that the 
family {L\, . . . , L n } is locally monitorable, if 

Vs e P 3t e P 31 < i < n : s<tRCL,. 

Remark 2. A language L is locally monitorable if and only if the family {L, L c } 
is locally monitorable. 

A distributed alphabet (SS, dom) can be split into several connected compo- 
nents. This is a partition SS — SSi U • • • U SSk such that all SSi are non-empty 
and SSi x SSj C I for all 1 < i < j < k. We say that (SS, dom) is connected, 
if k = 1 and disconnected otherwise. For k > 2 we can write R = R' x R" such 
that R' and R" are both infinite. 

4.1 Disconnected case 

We assume in this section that (SS, dom) is disconnected and we write R = 
R' x R". Let L C R. If L is locally monitorable then, necessarily sR C L or 
sR C L c for some prime s € P = P(R') U P(R"). By symmetry we may assume 
s e P(R') and sR C I. As a consequence, there is no t e P(R") such iR C i c . 
On the other hand, if there is some prime t € P(M") such tR C L, then L is 
locally monitorable for a trivial reason: For every prime trace u € P we either 
have u e R' or it e R"; and by choosing either the prime s or t in the other 
component as u we satisfy the required condition for L to be locally monitorable. 

Hence we are only interested in the case that there is no prime t e R" 
such that tR C L. In this case we can reduce the problem whether L is locally 
monitorable to the component of R' as follows: First, let us define languages of 
prime traces Li={«£ P(R') | uR C L} and L 2 = {u£ P(R') | uR C L c }. Note 
that if L is recognizable, then Li,L 2 , as well as L{R' , L 2 R' , are recognizable too. 
Moreover, we can construct the corresponding automata. 

Theorem 4. Let LCK = l'xf and assume that there is some s e P(R') such 
that sR C L but there is no t e P(R") with tR C L. Then L is locally monitorable 
if and only if the family {LiR' , L 2 R'} is locally monitorable w.r.t. R' . 
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Proof. First, let L be locally monitorable and s E P be a prime. Choose some 
prime t E P with s < iR such that either tR C L or tR C L c . We cannot have 
t&R", hence i e P(i?')- Thus, either t <G Li or t e L 2 . It follows that tR' C i^R' 
or tR' C L 2 R', and hence {LiR',L 2 R'} is locally monitorable w.r.t. R'. 

For the other direction let {L]R', L 2 R'} be locally monitorable w.r.t. R'. 
Then for every prime u E P(R') there is some t> € P(R') such that u < vR' 
such that either vR' C L 1 R / or uR' C L 2 R'. In particular, either w € L\ or 
v E L2, since r < w with r E Li implies v E Li. By definition, either vR C L or 
vR C L c . Thus, L is locally monitorable on all primes of R'. Now, let u E P(R"). 
By assumption there is some s <E P(R') such that sR C L. Since R = R' x R" we 
have u < sR. Thus, L is locally monitorable. 

4.2 Connected case 

Recall that a distributed alphabet (SS, dom) is connected if it cannot be parti- 
tioned as SS = SSi U SS 2 such that SSi xS5 2 C / with 55i 7^ 7^ SS 2 - For 
connected (SS, dom) we obtain a nicer characterization of locally monitorable 
sets: 

Lemma 4. Let (S, dom) be connected. Then L is locally monitorable if and only 
if 

Vs e P 3s < t e P : f av«a c . 

Proof. Let L be such that Vs E P 3t e P : s < tR C L V s < tR C L c . We have 
to show that we can choose s to be a prefix of t. But this is clear: if s < tR, then 
there is a prime p with s < p and t < p. The result follows because pR C tR in 
this case. 

Proposition 5. TTie following assertions are equivalent. 

1. (S, dom) is connected. 

2. The family of locally monitorable sets is closed under finite union. 

3. The family of locally monitorable sets is a Boolean algebra. 

Proof. Since the locally monitorable property is symmetric for L, L c , the last 
two items of the proposition are equivalent. Let (E, dom) be connected, we show 
that locally monitorable is preserved by taking finite unions. Let L and K be 
locally monitorable and consider s E P. If we find s < t E P and either tR C L 
or tR C K, we are done. Hence there is s < t E P and tR C L c . Now, we may 
assume that there is t < u E P and uR C _ft' c . But then s < u and uR C (LUK) C . 

Conversely, let a, b E S be in different connected components of (Z 1 , dom) 
and let L = "no occurrence of a" and K = "no occurrence of 6" . Both sets are 
locally monitorable, since they are prime-closed. However, for every prime s we 
have s E L U K and sR n (L U if ) c 7^ 0. This shows that L U if is not locally 
monitorable. 
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Again, for connected alphabets and a family of languages, we can make the 
condition to be locally monitorable more precise by using Lem. |4j Indeed, if 
(£, dom) is connected, then a family {Li, . . . , L n } is locally monitorable if and 
only if 

VseP3s<teP31<i<u: tRCLi. 

Theorem 5. Let (S, dom) be connected, and L\, . . . , L n be subsets ofR such 
that 

1. R = Li U • • ■ U L n . 

2. Each -Lfc is a countable union of prime-closed sets. 
Then the family {L\, . . . , L n } is locally monitorable. 

Proof. We give the proof for n = 2, the one for n > 2 is similar. Let L = L\ and 
K = L%. Write L = f| 4 > UM and K = (\> V t R where all U h Vi C P. Without 
restriction we have UqR = VqR = R. 

By contradiction, assume that {Li,^} is not locally monitorable. This 
means that we can find some s G P such that for all t G P with {s, t} coherent 
it holds that tR n L ^ ^ tR n K. Let p Q = x = q = y = s. 

By induction let for some k > 1 prime traces Pi, X4, qi, and yi for all < i < k 
be defined such that f7, 9 p, < Xi < yi, Vi 3 qi < yi, and < x.;. 

We define Xk,Pk as follows. Since s < yt-i G P we have by assumption 
yk-iR H L 0, and thus we find < x £ L. Thus, there is pk € Uk with 

Pk < x. The set {yk-iiPk} is coherent, hence there is common finite trace w with 
Uk-i < w a n d Pfe < w. Since (£, dom) is connected, we find some prime Xk G P 
with w < Xk- The definition of ?/fc follows the same pattern. We have s < x\ < 
2/1 < X2 • • • and a; = U{a;i | i G N} exists. However, x G Pli>o n rii>o 
Contradiction, because L fl K = 0. 

Remark 3. Notice that the above proof still works if (55, dom) has only two 
connected components. In the general case it is open whether the statement of 
Thm.[H still holds. 

5 Infinite traces 

Prime-closed languages are prefix closed, so they always intersect. In particular, 
for any language L C R, it can never happen that both L and L c are countable 
unions of prime-closed sets (or equivalently, countable intersections of prime- 
open sets) , as required by Thm. [5j 

Thus, in order to define an trace analogue of Gg H F a we will restrict our at- 
tention to infinite traces where a (given) subset r of processes is active infinitely 
often and "sees" all other processes. In this way monitoring can be performed by 
processes in r . Another motivation for the new notion is due to the fact that in 
order to monitor a language we should be able to gather information into longer 
and longer prime prefixes. 

For a finite trace t we write max(t) C r if dom(a)<ir ^ for each a G max(i). 
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Definition 4. Let F be a (non-empty) subset of Proc. A trace x is called r~ 
infinite if 

— Every process from r has infinitely many actions in x. 

— x can be written as x — x n xi ■ ■ ■ such that max(x„) C F for each n > 0. 

— alph(a;) is connected. 

The set of T -infinite traces is written as Rr- 

Remark 4- If is a singleton, then for every trace x € Rr, both alph(x) and 
alphinf(a;) are connected (and non-empty). 

In the following everything is within F-infinite traces, for a fixed set r C 
Proc. In particular, the notion of closed and open are meant to be induced. The 
notion of locally monitorable is also relative to Rr- a set L C R r is locally 
monitorable if Vs e P(R r ) 3s < t <= P(R r ) : tlflK r C LVtKnR r C L c (where 
L c = R r \L). 

Definition 5. Let r C Proc be a non-empty set of processes. 

1. A set ICl r is prime-Gs if it has the form X = Hi>o ^ where all Ui are 
prime-open in Rp- The family of prime-Gs -sets is denoted PG$. 

2. A set X C R r is prime-F a if its complement is prime-Gs- The family of 
prime-Gs -sets is denoted PF CT . 

Example 3. Let P = Proc — {a, (3} and SS = {a, b, d} with dom(a) = {a}, 
dom(b) — and dom(d) = {a, (3}. Let L C R r contain all traces without 
the (trace) factor abd. Such traces are formed either by a trace from ((a* + 
b*)d+)*(a*+b*)d+ followed by a" 6", or they belong to ((a* +b*)d+) UJ . Clearly, L 
is prime-closed. The complement of L is in PF^, since L c = {J weSS , » j>o-^u>,*,j 
where X Wti j contains all traces from Rr with prefix wa l b : 'd. Each X w ^j is 
prime-closed. 

The next lemma generalizes the case of w-words. Note that we need the 
restriction to Rr (or some similar restriction). As an example, consider SS = 
{a, b} with (a, b) e /. The language L = aR is prime-open. But its complement 
L c = b°° cannot be written as countable intersection of prime-open sets in R, 
since we cannot avoid occurrences of a in such sets. 

Lemma 5. Prime-closed sets o/Rp are in PGs- 

Proof. Let L C R r be prime-closed. By definition, every UC € Rr where C is 
coherent and C C P(L), belongs to L. For K C P, a e r and k e N let 

K a) k = {p € K | |p| > fc, a e c?077i(max(p))}. 

We claim that 

L= f) P(i) Q , fe E r . 

feeN : aer 
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The inclusion from left to right follows from L C tp and the definition of 
M.p. Let x £ Rp be such that for every k £ N and a £ T, there is some 
Pa,k < x with p a £ £ P(L) a fe. By definition of M.p and of P(£) a we have that 
x = U{p Qjfc | k £ N, a £ r}. Hence, x is of the form UC for C C P(L) coherent, 
and thus in L. 

Theorem 6. 1. PG^nPFo- is a Boolean algebra containing all prime- open and 

all prime-closed subsets o/Kf . 
2. All PGs fl PF„ subsets o/lf are locally monitorable. 

Proof. PGs is closed under union. Hence, PG<5 PI PF CT is a Boolean algebra. It 
contains all prime-open and all prime-closed subsets of Mr by Lem. [5] 

The proof of the second claim follows along the same lines as the one of 
Thru. [5] Assume that Rp an( i choose some connected subalphabet SS' of 
SS that contains for each a £ T some letter a with a £ dom(a). The prime traces 
%k, Vk can be chosen such that max(it) C r, max(yfc) C r, and alph(x^ 1 y / ! i: ) = 
alph(y^"_ 1 a;fe) = SS' . Thus, x = UiXi £ Mr- 
Asynchronous Buchi and Muller automata have been studied in [8 5 . Mc- 
Naughton's theorem [TJ] stating the equivalence of non-deterministic Buchi and 
deterministic Muller automata over omega-word languages, extends to recogniz- 
able languages of infinite traces and asynchronous automata [5] . If we restrict to 
traces from M.p, then the Buchi and Muller acceptance conditions are simpler: 

Definition 6. Let r C Proc be a non-empty set of processes, and let A = 
({S a )aeProc, (^JngsSi s °) ^ e an asynchronous automaton. 

1. A Buchi acceptance condition is a set F C Sr- 

An infinite run s° — SQ,ao,Si,ai, ... of A is accepting if for some fp £ F 
and for every a £ T , there are infinitely many n > with (s n ) a = f a . 

2. A Muller acceptance condition is a set J- C J^[ Qer 2 s a . 

An infinite run s° — So,ao,Si,a±, ... of A is accepting if for some Tp £ T 
and for every a £ T, the set of states from S a such that (s n ) a = f a for 
infinitely many n, is precisely T a . 

The language C{A) is the set of all traces from M.p that have an accepting 
run. The next result is a generalization from w-word languages to lp trace 
languages: 

Theorem 7. Let L C WLp be recognizable. Then L is in PGs if and only if L is 
accepted by a deterministic Buchi asynchronous automaton. 

Proof. Assume first that L = £(^4), where A is a deterministic asynchronous 
Buchi automaton, and fix a final state f £ F. For n > 0, a £ r we define K.[ 
as the set of all traces t £ P with a £ dom(max(t)) and such that in the run of 
A on t, at least n letters on process a are in state f a . It is easy to see that the 
set U/gFflaernXi^'ii.a^r i s precisely C(A). The remaining of the proof will 
show that PGs is closed under finite union, thus C(A) £ PG$. 
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For the converse let L = f] n>0 U n C.R r be recognizable, with U n prime-open 
in M.p- We first define V n = C\ k<n U n . It is not difficult to see that each V n can 
be assumed to be of the form K n R p with max(i) C r for each t £ K n . Let now 
K' n C K n consist of all elements of K n that have no proper prefix in K n . Let 
K = U n >o ^"Ji^n, where X n is the set of traces t such that (1) max(t) C r, (2) 
> w for each a e _T, and (3) no proper prefix of t satisfies (1) and (2). 

Let us first show that L = {UC \ C Q K, C coherent}. The inclusion 
from left to right follows from L = f] n>0 U n = f] n>0 K n R r = f] n>0 K' n R r = 
C\n>o K' n X n Rr- Conversely, let t — x xi . . . with x ■ ■ ■ x n £ K for all n. Observe 
that we must have infinitely many n such that x • • • x m e K n for some m, since 
K' n is prefix-free. Thus, teV„ for infinitely many n and t € U n for all n. 

To conclude, we show that if L = {UC \ C C if, C coherent} for some if, and 
£ C K r is recognizable, then L is the language of a deterministic asynchronous 
Biichi automaton. We assume as above that max(i) C r for all t E K. Since L is 
recognizable, there is some deterministic Muller automaton A with acceptance 
condition T and C{A) = L. We may also assume that on every finite trace t the 
states of processes from dom(m&x(t)) reached on t determine the states of all 
other processes. First we test for every T e T if there is some trace from R r 
accepted with T. Without restriction this is the case for all T e T . For each T 
we can determine a reachable state s(T) £ Yl al£ r ^ a anc ^ nn ite traces to(T), t(T) 
with max(to(? 1 ), max(f(T)) C r such that (1) to(T) leads from the initial state 
to s(T), (2) t(T) is a loop on state s(T) and (3) the set of a-states in the loop 
t(T) is precisely T a . In addition, to(T) is connected. 

We claim that A accepts L with the following (Biichi) condition: a trace 
is accepted if for some T £ T, every state from T a occurs infinitely often, for 
every a £ r. It is clear that all of L is accepted in this way by A. Conversely, 
let x be an arbitrary trace with max(x) C r and looping on state s(T). We 
have tot(T) u £ L, so there is some n and u in K such that u < t n t(T) n °. 
Since t t{T) n ° x t(T) u £ L wc find some m such that m < t t(T) n ° x t(T) ni 
for some u\ £ K with uo < u\. In this way we can build a trace t from Rp, 
t = t t(T) n °xt(T) ni x- ■ ■ , with t = U n > u n £ {UC | C C K , C coherent} and 
such that for each a £ T, the set of states from S a repeated infinitely often is a 
superset of T a . The claim follows since L — {UC | C C K , C coherent}. 

Remark 5. For the previous proof we do not need the connectedness assumption 
in the definition of Rr- On the other hand, it is open whether without this 
assumption all PG«5 n PF CT sets are still locally monitorable. 

Conclusion 

Our aim in this paper was to propose a reasonable notion of distributed mon- 
itoring for asynchronous systems. We argued that distributed monitors should 
have the same structure as the system that is monitored. We showed that prop- 
erties over i^-infinite traces that are deterministic and co-deterministic, are lo- 
cally monitorable. It would be interesting to consider alternative restrictions to 
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/"-infinite traces, that capture some reasonable (partial) knowledge about the 
asynchronous system and for which PG$ fl PF CT sets are locally monitorable. 
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